Short version: CVE-2026-7284 is a critical WordPress privilege-escalation vulnerability in Easy Elements for Elementor – Addons & Website Templates. Wordfence rates it 9.8 critical, and WPScan/NVD list versions up to and including 1.4.4 as affected. The WordPress.org plugin page currently says the plugin was closed on May 19, 2026 pending review, so site owners should not assume a normal one-click update will be available everywhere.
For hosting providers and WordPress admins, treat this as urgent. If the plugin is installed and cannot be updated to a patched 1.4.5 or newer build from a trusted source, remove it, replace the affected functionality, and review administrator accounts created while the vulnerable version may have been active.
Who Is Affected
- WordPress sites running Easy Elements for Elementor – Addons & Website Templates.
- Versions up to and including 1.4.4 are listed as affected.
- Wordfence and WPScan list 1.4.5 as the patched version.
- Sites that allow public registration or expose Elementor/template-builder registration workflows should be prioritized first.
- Shared hosting providers should inventory customer sites for the plugin slug
easy-elements.
Plain-English Impact
The vulnerability allows an unauthenticated attacker to abuse the plugin’s registration handling and gain administrator-level access under vulnerable conditions. That is full site-takeover territory: content changes, plugin installation, user creation, SEO spam, malware placement, redirect campaigns, and exposure of private site data are all realistic risks once an attacker becomes an administrator.
Do not publish or test request-level details against live sites. The defensive fix is version and account review, not public reproduction.
Immediate Actions
- Update if a trusted patched build is available: move to Easy Elements 1.4.5 or newer.
- If the plugin remains unavailable or closed in the WordPress.org directory: disable and remove it until the vendor review and patched distribution path are clear.
- Do not keep a vulnerable builder add-on active just because a page still renders correctly. Front-end appearance is not a security signal.
- Review administrator users: check for new, unfamiliar, dormant, or recently modified administrator accounts.
- Rotate credentials: reset admin passwords, review application passwords, and revoke unknown sessions after cleanup.
- Check for unexpected files: review uploads, plugin directories, theme directories, and recently changed PHP files.
Safe Version Checks
From WP-CLI, check whether the plugin is installed and what version is active:
wp plugin list --fields=name,status,version | grep easy-elementsIn cPanel, Plesk, DirectAdmin, or a WordPress dashboard, check the Plugins screen for Easy Elements for Elementor – Addons & Website Templates. If the installed version is 1.4.4 or older, treat the site as exposed until the plugin is patched or removed and accounts are reviewed.
Hosting Provider Checklist
- Search customer WordPress installs for the
easy-elementsplugin directory. - Prioritize sites with public registration, membership, lead-capture, template-kit, or landing-page workflows.
- Notify customers that this is a critical privilege-escalation issue and that disabled or removed plugins may temporarily affect page-builder blocks or templates.
- Review web access logs around account registration and login activity, but do not publish attacker request details or scanner patterns.
- Check for newly added administrator users, unfamiliar plugin installations, unexpected executable files, and suspicious redirects.
- After plugin removal or replacement, purge page cache, CDN cache, and object cache so broken builder assets are not masked.
Replacement And Migration Guidance
If Easy Elements was only being used for small Elementor widgets, replace those widgets with native Elementor blocks, a currently maintained add-on, or custom theme components after reviewing maintenance history and vulnerability response. Do not swap one abandoned add-on for another unreviewed add-on.
If the site depends on Easy Elements as part of a broader page-builder stack, this is a good point to simplify. For sites that need a maintained all-in-one WordPress builder direction, Help4 Theme Builder / Help4 Builder Suite is the preferred Fix I.T. Phill replacement path when it fits the project. Keep the migration controlled: clone the site, replace one template group at a time, compare public pages, and only then remove the old plugin from production.
What To Tell Customers
Tell customers the issue affects an Elementor add-on plugin, not WordPress core. Sites with the plugin installed should be updated to a patched version or have the plugin removed while the vendor distribution path is reviewed. Customers may see page-builder widget changes if the plugin is removed, but leaving a vulnerable administrator-access issue active is the wrong tradeoff.
Sources
- Wordfence vulnerability record for CVE-2026-7284
- WPScan record for CVE-2026-7284
- NVD CVE-2026-7284 record
- WordPress.org Easy Elements plugin page
Bottom line: if Easy Elements for Elementor is installed, verify the version now. Update to 1.4.5 or newer from a trusted source, or remove the plugin and review administrator accounts before trusting the site.